Tip

Installing X.509 encryption certificates in Windows

X.509 encryption certificates form the backbone of SSL, an encryption protocol used for everything from Web browsing to sending and receiving email securely. Most products with SSL support in the Windows world rely on the system to store and manage X.509 encryption certificates. In the UNIX world applications are often on their own for X.509 certificate management, making things slightly more difficult.

For most users wishing to use SSL-enabled services, such as HTTP, SMTP, IMAP, POP and so on, finding a client and server capable of supporting it is relatively easy. But for many of us the cost involved in getting a certificate signed by an entity such as Verisign (especially when it requires a yearly renewal fee) can cause problems, assuming of course Verisign will even issue you a certificate of the type you want (outside of standard HTTP certificates you are usually on your own). Consequently, many organizations choose to create self-signed, individual certificates -- avoiding the setup of a certificate authority -- if all they need is a half dozen certificates or fewer. This in turn leads to a new problem: users being prompted to accept an SSL certificate every time they use a service, or in the case of Outlook, being prompted every time they attempt to download e-mail! Of course with a certificate signed by Verisign this would be no problem, since the signing certificate used by Verisign would be installed into Windows.

It follows that

    Requires Free Membership to View

the solution is to install your own certificates into Windows on a permanent basis, thus preventing users from being continually prompted to accept certificates. And this is the point where things usually fall apart, since most applications, such as Outlook Express, do not have the ability to import certificates from a server -- leaving users to click "Use this server" every time they check for email.

Fortunately the answer is simple and quick. Using Internet Explorer, load the URL for the service; for example, with a SSL-enabled IMAP server running on "imap.example.com," place the following URL into the Address bar:

https://imap.server.com:993/

The users will be prompted with the normal certificate dialog, and if they choose to install the certificate it will then be available to Outlook Express and other applications that make use of the Windows certificate management.

The following is a list of common SSL-enabled services and their port numbers:

SSL IMAP 993
SSL POP 995
SSL HTTP 443
SSL SMTP 465
SSL NNTP 563
SSL LDAP 636

Point Internet Explorer at the server and the appropriate port; you will be able to install the certificate with ease. To make life easier for users, you can also export the certificates, allowing for distribution in custom builds of Internet Explorer, for example, or housed on a company Intranet site.


About the author
Kurt Seifried is an Information Security Analyst with interests ranging from Microsoft and UNIX systems to network protocols and encryption (to name but a few). He has written a large number of articles (available online) and maintains many resources on his Website. He was formerly the senior analyst and main writer for SecurityPortal. Visit his site at http://seifried.org/security/.


This was first published in June 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.